RE: snort dropping 48%

["Josh Berry" <josh.berry () netschematics com>]

Barnyard will definately increase detection rates and decrease dropped
packets because Snort will be offloading resouce intensive logging to
another process.  Also, if you are logging to database you cannot use the
-A switches on the command line, they over-ride your configuration file.

> I'm not sure exactly what I am supposed to tweak??  I am running the new
> snort, and have it pointing to the conf which going to a MySQL database.
> Now
> I am not seeing the amount of traffic I thought I would be seeing,
> especially to my websites. So I think it is dropping packets due to
> traffic,
> but I cant be sure. This is the command I issue:
>
> snort -dc /etc/snort/snort.conf
>
> would the fast mode switch help me?  should I use barnyard?
>
> Any help would be great
>
> -----Original Message-----
> From: snort-users-admin () lists sourceforge net
> [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Josh Berry
> Sent: Friday, May 07, 2004 9:19 AM
> To: Sheahan, Paul
> Cc: snort-users () lists sourceforge net
> Subject: Re: [Snort-users] snort dropping 48%
>
> I have had no problems running snort on Gigabit once I tuned the system.
> One of the biggest differences was disabling the log directory creation
> with -N, and completely removing the -l switch.  Using -l with -N doesn't
> make sense, isn't that like saying log, don't log?
>
> I also found information on tuning the Linux filesystem, and tuning the
> network cards.  It helps to use a NIC capable of using NAPI.  It sounds as
> though you might have issues with the NIC drivers.  If it is not the
> drivers you could try using the MMAP version of libpcap at:
> http://public.lanl.gov/cpw/.
>
> I also have a custom kernel that I stripped everything out of that wasn't
> completely necessary and then added performance enhancing patches for the
> scheduler, the low-latency patches and pre-emptive patches.
>
> If you are running on a dual processor system you could set the CPU
> affinity for the Snort process.
>
> > Sheahan, Paul wrote:
> >
> > > Also Snort STILL creates individual directories for
> > > each address it encounters. So many directories get created in reaches
> > > the Linux limit after a while and crashes Snort. I suppose Snort could
> > > be so busy with this that it may be contributing to the packet loss?
> > If you specify the -N switch it should not do any packet logging. I just
> > tested this with `snort -d -l ./ -N -c /usr/local/etc/snort.conf'. It
> > generates the alert file , but not any packet logs, sounds like you
> > might not be using the -N switch properly (or the -N switch needs to be
> > in a certain spot?). I could see how default packet logging could easily
> > kill a server that runs on gigabit though.
> > While this may contribute to it, it doesn't sound like the root of your
> > problem though as you've previously tried logging binary format.
> >
> > Sheahan, Paul wrote:
> >
> > > The content rules are the issue, but it is still a mystery why old
> > > hardware and Snort version worked.
> >
> > The real difference here is a amount of traffic snort needs to analyze.
> > Gigabit ethernet is a 10x faster than standard. Thats a lot of packets!
> > What we really need is a response from someone who effectively runs
> > snort on a gigabit network. Can snort run "out of the box" on a gigabit
> > network efficiently (given decent hardware of course) or does it need to
> > be tweaked to prevent major packet loss?
> >
> > As for your current situation Paul, would it be feasible to share the
> > load between multiple sensors? Each sensor containing 100 of your custom
> > rules? That might work to get every packet on the wire without having to
> > sacrifice some of snort's features for speed.
> > Just an idea. :)
> >
> > sgt_b
> >
> >
> > -------------------------------------------------------
> > This SF.Net email is sponsored by Sleepycat Software
> > Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to
> > deliver higher performing products faster, at low TCO.
> > http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by Sleepycat Software
> Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to
> deliver higher performing products faster, at low TCO.
> http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users





-------------------------------------------------------
This SF.Net email is sponsored by Sleepycat Software
Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to 
deliver higher performing products faster, at low TCO.
http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users